Symbolic Resource Bound Inference forFunctional Programs

Ravichandhran Madhavan1 and Viktor Kuncak2

1 ravi.kandhadai@epfl.ch2 viktor.kuncak@epfl.ch

EPFL

Abstract. We present an approach for inferring symbolic resourcebounds for purely functional programs consisting of recursive functions,algebraic data types and nonlinear arithmetic operations. In our ap-proach, the developer specifies the desired shape of the bound as a pro-gram expression containing numerical holes which we refer to as tem-plates. For e.g, time ≤ a ∗ height(tree) + b where a, b are unknowns, isa template that specifies a bound on the execution time. We present ascalable algorithm for computing tight bounds for sequential and parallelexecution times by solving for the unknowns in the template. We em-pirically evaluate our approach on several benchmarks that manipulatecomplex data structures such as binomial heap, lefitist heap, red-blacktree and AVL tree. Our implementation is able to infer hard, nonlinearsymbolic time bounds for our benchmarks that are beyond the capabilityof the existing approaches.

1 Introduction

This paper presents a new algorithm and a publicly available tool for infer-ring resource bounds of functional programs.3 We focus on functional languagesbecause they eliminate by construction low-level memory errors and allow thedeveloper to focus on functional correctness and performance properties. Ourtool is designed to automate reasoning about such high-level properties. We ex-pect this research direction to be relevant both for improving the reliability offunctional programming infrastructure used in many enterprises (e.g. LinkedIn,Twitter, several banks), as well as for reasoning about software and hardwaresystems within interactive theorem provers [17], [21], [29], [12], [19], which oftenmodel stateful and distributed systems using functional descriptions.

The analysis we present in this paper aims to discover invariants (e.g. functionpostconditions) that establish program correctness as well as bounds on paralleland sequential program execution time. Such invariants often contain invocationsof user-defined recursive functions specific to the program being verified, suchas size or height functions on a tree structure. We therefore need a verificationtechnique that can prove invariants that are expressed in terms of user-defined

3 To download the tool please see http://lara.epfl.ch/w/software

2 Ravichandhran Madhavan and Viktor Kuncak

functions. To the best of our knowledge, our tool is the first available systemthat can establish such complex resource bounds with this degree of automation.

Our tool can show, for example, that a function converting a propositionalformula into negation-normal form takes no more than 44·size(f)−20 operations,where size(f) is the number of nodes in the formula f . The tool also proves thatthe depth of the computation graph (time in an infinitely parallel implementa-tion) is bounded by 5 · h(f) − 2, where h(f) ≥ 1 is the height of the formulatree. As another example, it shows that deleting from an AVL tree requires thenumber of operations given by 145 ·h(t) + 19, where h(t) ≥ 0 is the height of thetree t, whereas the depth of the computation graph is 51 · h(t) + 4.

Our tool takes as input the program, as well as the desired shapes of invari-ants, which we call templates. The goal of the analysis becomes finding coeffi-cients in the templates. The coefficients in practice tend to be sufficiently largethat simply trying out small values does not scale. We therefore turn to one ofthe most useful techniques for finding unknown coefficients in invariants: Farkas’lemma. This method converts a ∃∀ problem on linear constraints into a purelyexistential problem over non-linear constraints.

The challenge that we address is developing a practical technique that makessuch expensive non-linear reasoning work on programs and templates that con-tain invocations of user-defined recursive functions, that use algebraic data types(such as trees and lists), and that have complex control flow with many disjunc-tions.

We present a publicly available tool that handles these difficulties throughan incremental and counterexample-driven algorithm that soundly encodes al-gebraic data types and recursive functions and that fully leverages the abilityof an SMT solver to handle disjunctions efficiently. We show that our techniqueis effective for the problem of discovering highly application-specific inductiveresource bounds in functional programs.

2 Background and Enabling Techniques

We first present key existing technology on which our tool builds.

2.1 Instrumenting Programs to Track Resource Bounds

Our approach decouples the semantics of resources such as execution time fromtheir static analysis. We start with the exact instrumentation of programs withresource bounds, without approximating e.g. conditionals or recursive invoca-tions. To illustrate our approach, consider a simple Scala [22] program shownin Fig. 1, which appends a list l2 to the reverse of l1. We use this program asour running example. The recursive function size counts the length of its listargument; it is user-defined and omitted for brevity.

Fig. 2 illustrates the instrumentation for tracking execution time on thisexample. For every expression e in the program the resource consumed by e iscomputed as a function of the resources consumed by its sub-expressions. For

Symbolic Resource Bound Inference for Functional Programs 3

def revRec(l1:List, l2:List) : List =(l1 match {case Nil() ⇒ l2case Cons(x,xs) ⇒

revRec(xs, Cons(x, l2))})ensuring(res ⇒ time ≤ a∗size(l1) + b))

Fig. 1. Appending l2 to the reverse of l1

def revRec(l1:List,l2:List):(List,Int) =(l1 match {case Nil() ⇒ (l2, 1)case Cons(x,xs) ⇒val (e, t) = revRec(xs, Cons(x,l2))(e, 5 + t) })

ensuring(res ⇒ res. 2 ≤ a∗size(l1) + b))

Fig. 2. After time instrumentation

instance, the execution time of an expression (such as e1 ∗ e2) is the sum ofthe execution times of its arguments (e1 and e2) plus the time taken by theoperation (here, ∗) performed by the expression (in this case, 1). We expose theresource usage of a procedure to its callers by augmenting the return value of theprocedure with its resource usage. The resource consumption of a function call isdetermined as the sum of the resources consumed by the called function (whichis exposed through its augmented return value) plus the cost of invoking thefunction. The cost of primitive operations, such as +, variable access, etc., areparametrized by a cost model which is, by default, 1 for all primitive operations.

Another resource that we consider in this paper is depth, which is a measureof parallelism in an expression. Depth [6] is the longest chain of dependenciesbetween the operations of an expression. The depth and work (the sequentialexecution time) of programs have been used by the previous works to accuratelyestimate the parallel running times on a given parallel system [6]. Fig. 3 andFig. 4 illustrate the instrumentation our tool perform to compute the depthof a procedure that traverses a tree. We compute the depth of an expression

def traverse(t: Tree) = (t match {case Leaf() ⇒ f(t)case Node(l,v,r) ⇒

traverse(l) + traverse(r) + f(t))ensuring(res ⇒ depth ≤ a∗height(t) + b)

Fig. 3. A tree traversal procedure

def traverse(t: Tree):(Tree,Int)= (t match{case Leaf() ⇒ f(t)case Node(l,v,r) ⇒val (el, dl) = traverse(l)val (er, dr) = traverse(r)val (e, d) = f(t)(el+er+e, max(max(dl,dr)+1,d)+5)) })

ensuring(res ⇒ res. 2 ≤ a∗height(t) + b)

Fig. 4. After depth instrumentation

similarly to its execution time, but instead of adding the resource usages of thesub-expressions, we compute their maximum.

Every inductive invariant for the instrumented procedure obtained by solv-ing for the unknowns a, b is a valid bound for the resource consumed by theoriginal procedure. Moreover, the strongest invariant is also the strongest bound

4 Ravichandhran Madhavan and Viktor Kuncak

on the resource. Notice that the instrumentation increases the program sizes,introduces tuples and, in the case of depth instrumentation, creates numerousmax operations.

2.2 Solving Numerical Parametric Formulas

Our approach requires deciding validity of formulas of the form ∃a.∀x.¬φ, wherea is a vector of variables. The formulas have a single quantifier alternation. Wethus need to find values for a that will make φ unsatisfiable. We refer to φ asa parametric formula whose parameters are the variables a. When the formulaφ consists only of linear inequalities, finding values for the parameters a canbe converted to that of satisfying a quantifier-free nonlinear constraint (Farkas’constraint) using a known reduction, sketched below.

A conjunction of linear inequalities is unsatisfiable if one can derive a contra-diction 1 ≤ 0 by multiplying the inequalities by non-negative values, subtractingthe smaller terms by non-negative values and adding the coefficients in the in-equalities. E.g, ax+by+c ≤ 0∧x−1 ≤ 0 is unsatisfiable if there exist non-negativereal numbers λ0, λ1, λ2 such that λ1 · (ax+ by+ c) +λ2 · (x− 1)−λ0 ≤ 0 reducesto 1 ≤ 0. Hence, the coefficients of x and y should become 0 and the constantterm should become 1. This yields a nonlinear constraint λ1a+ λ2 = 0 ∧ λ1b =0∧ λ1c− λ2 − λ0 = 1∧ λ0 ≥ 0∧ λ1 ≥ 0∧ λ2 ≥ 0. The values of a and b in everymodel for this nonlinear constraint will make the inequalities unsatisfiable.

This approach has been used by previous works [7,9,15] to infer linear invari-ants for numerical programs. There are two important points to note about thisapproach: (a) In the presence of real valued variables, handling strict inequalitiesin the parametric formula requires an extension based on Motzkin’s transposi-tion theorem as discussed in [24]. (b) This approach is complete for linear realformulas by Farkas’ Lemma, but not for linear integer formulas. However, theincompleteness did not manifest in any of our experiments. Similar observationhas also been documented in the previous works such as [15].

2.3 Successive Function Approximation by Unfolding

To construct verification conditions (VCs) in the presence of algebraic data-types(ADTs) and recursive functions we use the approach employed in the Leon ver-ifier [5,28]. The approach constructs VCs incrementally wherein each incrementmakes the VC more precise by unrolling the function calls that have not beenunrolled in the earlier increments (referred to as VC refinement). The functionsin the VCs at any given step are treated as uninterpreted functions. Hence, everyVC created is a sufficient but not necessary condition for the postcondition to beinductive. The postcondition is inductive if any of the generated VCs are valid.The refinement of VCs continues forever until the postcondition is proven. Inour implementation, we enforce termination by bounding the number of times arecursive function call is unrolled (fixed as 2 in our experiments).

Symbolic Resource Bound Inference for Functional Programs 5

We explain the VC generation and refinement on the revRec function shownin Fig. 2. The initial VC that we create for revRec is shown below

∀l1, l2, res, x, xs, e, t, r, f1, f2, size, revRec. ¬φφ ≡ ((l1 = Nil() ∧ res = (l2, 1)) ∨ (l1 = Cons(x, xs) ∧ res = (e, 5 + t) ∧ (e, t) =

revRec(xs,Cons(x, l2))) ∧ f2 > ar + b ∧ r = size(l1) ∧ res = (f1, f2) (1)

The function symbols in the VC are universally quantified as they are treated asuninterpreted functions. The combined algorithm presented in the next sectionsolves for the parameters a, b so that the VC holds for any definition of size andrevRec. If the formula (1) has no solution, it then refines the VC by unrollingthe calls to size and revRec. For instance, unrolling r = size(l1) in the aboveformula will conjoin the predicate with the formula (l1 = Nil() ∧ r = 0) ∨ (l1 =Cons(x1, xs1)∧r = 1+r2∧r2 = size(xs1)) that corresponds to the body of size.The subsequent refinements will unroll the call r2 = size(xs1) and so on. Notethat, whereas unfolding is the key mechanism in Leon [5, 28], here it is used ina new combination, with the inference of numerical parameters.

3 Invariant Inference Algorithm

We next present core techniques of our algorithm for inferring resource bounds.The algorithm introduces new techniques and combines the existing techniquesto overcome their individual weaknesses.

3.1 Solving Formulas with Algebraic Data Types and Recursion

We first describe our approach for solving parametric formulas that are simi-lar to constraint (1) with ADTs, uninterpreted functions, linear and nonlineararithmetic operations.

Eliminating Uninterpreted Functions and ADT Constructors fromParametric Disjuncts. Let d be a parametric formula with parameters param

defined over a set of variables X and uninterpreted function symbols Xf . Wereduce this to a formula d′ that does not have any uninterpreted functions andADT constructors using the axioms of uninterpreted functions and ADTs asdescribed below. We convert d to negation normal form and normalize the re-sulting formula so that every atomic predicate (atom) referring to uninterpretedfunctions or ADTs is of the form r = f(v1, v2, . . . , vn) or r = cons(v1, v2, . . . , vn)where f is a function symbol, cons is the constructor of an ADT and r, v1, . . . , vnare variables. We refer to this process as purification. Let F and T be the set offunction atoms and ADT atoms in the purified formula.

let δ1 =∧{(

n∧i=1

vi = ui)⇒ (r = r′) | r = f(v1, . . . , vn),r′ = f(u1, . . . , un) ∈ F}

let δ2 =∧{(

n∧i=1

vi = ui)⇔ (r = r′) | r = cons(v1, . . . , vn),r′ = cons(u1, . . . , un) ∈ T}

let δ = (purify(d) \ (F ∪ T )) ∧ δ1 ∧ δ2

6 Ravichandhran Madhavan and Viktor Kuncak

where δ \ (F ∪ T ) is a formula obtained by substituting with true every atomicpredicate in F or T . Notice that the above elimination procedure uses only thefact that the ADT constructors are injective. Due to this the completeness ofour approach may not be immediately obvious. In section 3.2 we formalize thecompleteness property of our approach.

Applying the above reduction to the disjunct dex of Constraint (1) alongwhich l = Nil(), results in a constraint of the form sketched below. We considertuples also as ADTs.

purify(dex) =

{(l1 = Nil() ∧ res = (l2, 1) ∧ f2 > ar + b

∧r = size(n1) ∧ res = (f1, f2)

δex = (f2 > ar + b ∧ ((l2 = f1 ∧ f2 = 1)⇔ res = res)) (2)

The formula δ obtained by eliminating uninterpreted function symbols andADTs typically has several disjunctions. In fact, if there are n function symbolsand ADT constructors in d then d′ could potentially have O(n2) disjunctions

and O(2n2

) disjuncts. Our approach described in the next subsection solves theparametric formulas incrementally based on counter-examples.

3.2 Incrementally Solving Parametric Formulas

Figure 5 presents our algorithm for solving an alternating satisfiability problem.Given a parametric formula, the goal is to find an assignment ι for params suchthat replacing params according to ι results in unsatisfiable formula. We explainour algorithm using the example presented in the earlier section. Consider theVC given by constraint (1). Initially, we start with some arbitrary assignmentι for the parameters a and b (line 5 of the algorithm). Say ι(a) = ι(b) = 0initially. Next, we instantiate (1) by replacing a and b by 0 (line 8), which resultsin the non-parametric constraint: φex : ((l1 = Nil() ∧ res = (l2, 1)) ∨ (l1 =Cons(x, xs) ∧ res = (e, 5 + t) ∧ (e, t) = revRec(xs,Cons(x, l2)) ∧ f2 > 0 ∧ r =size(l1) ∧ res = (f1, f2).

If the constraint becomes unsatisfiable because of the instantiation then wehave found a solution. Otherwise, we construct a model σ for the instantiatedformula as shown in line 11. For the constraint φex shown above, l1 7→ Nil(), l2 7→Nil(), res 7→ (Nil(), 1), r 7→ −1 and size 7→ λx.(x = Nil() → −1 | 0) is amodel. In the next step, we combine the models ι and σ and construct σ′. Notethat ι is an assignment for parameters and σ is an assignment for universallyquantified variables. Using the model σ′ we choose a disjunct of the parametricformula (1) that is satisfied by σ′. For our example, the disjunct chosen will bedex : l1 = Nil() ∧ res = (l2, 1) ∧ f2 > ar + b ∧ r = size(l1) ∧ res = (f1, f2).This operation of choosing a disjunct satisfying a given model can be performedefficiently in time linear in the size of the formula without explicitly constructinga disjunctive normal form.

The function elimFunctions invoked at line 14 eliminates the function symbolsand ADT constructors from the disjunct d using the approach described in sec-tion 3.1. Applying elimFunctions on dex results in the formula δex given by (2). We

Symbolic Resource Bound Inference for Functional Programs 7

1 input : A parametric linear formula φ with parameters ’params’2 output : Assignments for params such that φ(params) is unsatisfiable3 or ∅ if no such assignment exists4 def solveUNSAT(params, φ) {5 construct an arbitrary initial mapping ι : params 7→ R6 var C = true7 while(true) {8 let φinst be obtained from φ by replacing every t ∈ params by ι(t)9 if (φinst is unsatisfiable) return ι

10 else {11 choose σ such that σ |= φinst

12 let σ′ be ι ] σ13 choose a disjunct d of φ such that σ′ |= d14 let δ be elimFunctions(d)15 choose a disjunct d′ of δ such that σ′ |= d′

16 let dnum be elim(d′)17 let Cd be unsatConstraints(dnum)18 C = C ∧ Cd

19 if (C is unsatisfiable) return ∅20 else {21 choose m such that m |= C22 let ι be the projection of m onto params }}}}

Fig. 5. A procedure for finding parameters for a formula to make it unsatisfiable.unsatConstraints generates nonlinear constraints for unsatisfiability of a disjunct asillustrated in section 2.2.

choose a disjunct d′ of δ that satisfies the model σ′. For our example, the disjunctof δex that will be chosen is d′ex : l2 = f1 ∧ f2 = 1 ∧ res = res ∧ f2 > ar + b.

Eliminating non-numerical predicates from a disjunct (elim). We nowdescribe the operation elim at line 16. Let d′ be the parametric disjunct chosenin the previous step. d′ is a conjunction of atomic predicates (atoms). Let dtdenote the atoms that consist of variables of ADT type or boolean type. Let dndenote the atoms that do not contain any parameters and only contain variablesof numerical type. Let dp denote the remaining atoms that has parameters andnumerical variables.

For the example disjunct d′ex, dt is l2 = f1, dn is f2 = 1 and dp is f2 > ar+b.The disjunct dt can be dropped as dt cannot be falsified by any instantiationof the parameters. This is because dp and dt will have no common variables.The remaining disjunct dn ∧ dp is completely numerical. However, we simplifydn ∧ dp further as explained below. We construct a simplified formula d′n byeliminating variables in dn that do not appear in dp by applying the quantifierelimination rules of Presburger arithmetic on dn [23]. In particular, we applythe one-point rule that uses equalities to eliminate variables and the rule thateliminates relations over variables for which only upper or lower bounds exist.dn ∧ dp is unsatisfiable iff d′n ∧ dp is unsatisfiable.

8 Ravichandhran Madhavan and Viktor Kuncak

Typically, dn has several variables that do not appear in dp. This eliminationhelps reduce the sizes of the disjuncts and in turn the sizes of the nonlinearconstraints generated from the disjunct. Our experiments indicate that the sizesof the disjuncts are reduced by 70% or more.

We construct nonlinear Farkas’ constraints (line 17) for falsifying the dis-junct dnum, obtained after elimination phase, as described in section 2.2. Weconjoin the nonlinear constraint with previously generated constraints, if any(lines 17,18). A satisfying assignment to the new constraint will falsify everydisjunct explored thus far. We consider the satisfying assignment as the nextcandidate model ι for the parameters and repeat the above process.

If the nonlinear constraint C is unsatisfiable at any given step then we con-clude that there exists no solution that would make φ unsatisfiable. In this case,we refine the VC by unrolling the functions calls as explained in section 2.3 andreapply the algorithm solveUNSAT on the refined VC.

Correctness, Completeness and Termination of solveUNSAT.Let F denote parametric linear formulas belonging to the theory of real

arithmetic, uninterpreted functions and ADTs, in which parameters are realvalued and appear only as coefficients of variables.

Theorem 1. Let φ ∈ F be a linear parametric formula with parameters params.

1. The procedure solveUNSAT is correct for F . That is, if ι 6= ∅ then ι is anassignment for parameters that will make φ unsatisfiable.

2. The procedure solveUNSAT is complete for F . That is, if ι = ∅ then there doesnot exist an assignment for params that will make φ unsatisfiable.

3. The procedure solveUNSAT terminates.

The correctness of procedure solveUNSAT is obvious as the procedure returns amodel ι iff ι makes the formula φ unsatisfiable. The algorithm terminates since,in every iteration of the solveUNSAT algorithm, at least one satisfiable disjunctof elimFunctions(d) is made unsatisfiable, where d is a disjunct of φ. The numberof disjuncts that can be falsified by the solveUNSAT procedure is bounded byO(2n

2

), where n is the number of atoms in φ. Note that, in practice, our toolexplores a very small fraction of the disjuncts (see section 4). The proof ofcompleteness of the procedure is detailed in [20]. An important property thatensures completeness is that the operation elimFunctions is applied only on asatisfiable disjunct d. This guarantees that the predicates in d involving ADTvariables do not have any inconsistencies. Since the parameters can only influencethe values of numerical variables, axioms that check for inconsistencies amongthe ADT predicates can be omitted.

Theorem 1 implies that the procedure we described in the previous sectionsfor solving parametric VCs, in the presence of recursive functions, ADTs andarithmetic operations, that iteratively unrolls the recursive functions in the VCand applies the solveUNSAT procedure in each iteration is complete when therecursive functions are sufficiently surjective [27, 28] and when the arithmeticoperations in the VCs are parametric linear operations over reals.

Symbolic Resource Bound Inference for Functional Programs 9

3.3 Solving Nonlinear Parametric Formulas

Nonlinearity is common in resource bounds. In this section, we discuss our ap-proach for handling nonlinear parametric formulas like φex : wz < xy ∧ x <w − 1 ∧ y < z − 1 ∧ ax + b ≤ 0 ∧ ay + b ≤ 0 where a, b are parameters. Ourapproach is based on axiomatizing the nonlinearity operations. We handle multi-plication by using axioms such as ∀x, y. xy = (x−1)y+y, ∀x, y. xy = x(y−1)+xand monotonicity properties like (x ≥ 0 ∧ y ≥ 0 ∧ w ≥ x ∧ z ≥ y) ⇒ xy ≤ wz.Similarly, we axiomatize exponential functions of the form Cx, where C is aconstant. For example, we use the axiom ∀x. 2x = 2 · 2x−1 together with themonotonicity axiom for modelling 2x. The axioms are incorporated into the ver-ification conditions by recursive instantiation as explained below.

Axioms such as xy = (x−1)y+y that are recursively defined are instantiatedsimilar to unrolling a recursive function during VC refinements. For example, ineach VC refinement, for every atomic predicate r = xy that occurs in the VC,we add a new predicate r = (x − 1)y + y if it does not exist. We instantiatea binary axiom, such as monotonicity, on every pair of terms in the VC onwhich it is applicable. For instance, if r = f(x), r′ = f(x′) are two atomsin the VC and if f has a monotonicity axiom, then we conjoin the predicate(x ≤ x′ ⇒ r ≤ r′) ∧ (x′ ≤ x ⇒ r′ ≤ r) to the VC. This approach can beextended to N-ary axioms. If the axioms define a Local Theory Extension [16](like monotonicity) then the instantiation described above is complete.

Consider the example formula φex shown above. Instantiating the multipli-cation axioms a few times will produce the following formula (simplified forbrevity): wz < xy ∧ xy = (x − 1)(y − 1) + x + y − 1 ∧ ((x ≥ 0 ∧ y ≥ 0 ∧ x ≤w ∧ y ≤ z) → xy ≤ wz) ∧ x < w − 1 ∧ y < z − 1 ∧ ax + b ≤ 0 ∧ ay + b ≤ 0.This formula can be solved without interpreting multiplication. a = −1, b = 0 isa solution for the parameters.

3.4 Finding Strongest Bounds

For computing strongest bounds, we assume that every parameter in the tem-plate appears as a coefficient of some expression. We approximate the rate ofgrowth of an expression in the template by counting the number of functioninvocations (including nonlinear operations) performed by the expression. Weorder the parameters in the descending order of the estimated rate of growthof the associated expression, breaking ties arbitrarily. Let this order be v. Forinstance, given a template res≤a∗f(g(x,f(y))+c∗g(x)+a∗x +b, we order the param-eters as a v c v b. We define an order ≤∗ on Params 7→ R by extending ≤lexicographically with respect to the ordering v. We find a locally minimumsolution ιmin for the parameters with respect to ≤∗ as explained below.

Let ι be the solution found by the solveUNSAT procedure. ι is obtained bysolving a set of nonlinear constraints C. We compute a minimum satisfyingassignment ιmin for C with respect to the total order ≤∗ by performing a binarysearch on the solution space of C starting with the initial upper bound given byι. We stop the binary search when, for each parameter p, the difference between

10 Ravichandhran Madhavan and Viktor Kuncak

the values of p in the upper and lower bounds we found is ≤ 1. We need tobound the difference between the upper and lower bounds since the parametersin our case are reals. ιmin may not falsify φ although ι does. This is because Conly encodes the constraints for falsifying the disjuncts of φ explored until someiteration. We use ιmin as the next candidate model and continue the iterationsof the solveUNSAT algorithm.

In general, the inferred bounds are not guaranteed to be the strongest as theverification conditions we generate are sufficient but not necessary conditions.However, it would be the strongest solution if the functions in the program aresufficiently surjective [27, 28], if there are no nonlinear operations and there isno loss of completeness due to applying Farkas’ Lemma on integer formulas. Oursystem also supports finding a concrete counter-example, if one exists, for thevalues smaller than those that are inferred.

3.5 Inference of Auxiliary Templates

We implemented a simple strategy for inferring invariant templates automati-cally for some functions. For every function f for which a template has not beenprovided, we assume a default template that is a linear combination of integervalued arguments and return values of f . For instance, for a function size(l) weassume a template a∗res+b≤0 (where, res is the return value of size). This enablesus to infer and use correctness invariants like size(l)≥0 automatically.

3.6 Analysis Strategies

Inter-procedural analysis. We solve the resource bound templates for thefunctions modularly in a bottom-up fashion. We solve the resource bound tem-plates of the callees independent of the callers, minimize the solution to findstrong bounds and use the bounds while analysing the callers. The auxiliarytemplates that we infer automatically are solved in the context of the callers inorder to find context-specific invariants.

Targeted unrolling. Recall that we unroll the functions in a VC if the VCis not solvable by solveUNSAT (i.e, when the condition at line 19 is true). As anoptimization we make the unrolling process more demand-driven by unrollingonly those functions encountered in the disjuncts explored by the solveUNSAT

procedure. This avoids unrolling of functions along disjuncts that are alreadyunsatisfiable in the VC.

Prioritizing Disjunct Exploration. Typically, the VCs we generate have alarge number of disjuncts some of which are easier to reduce to false comparedto others. We bias the implementation to pick the easier disjuncts by usingtimeouts on the nonlinear constraints solving process. Whenever we timeoutwhile solving a nonlinear constraint, we block the disjunct that produced thenonlinear constraint in the VC so that it is not chosen again. In our experiments,we used a timeout of 20s. This strategy, though conceptually simple, made theanalysis converge faster on many benchmarks.

Symbolic Resource Bound Inference for Functional Programs 11

4 Empirical Evaluation

We have implemented our algorithm on top of the Leon verifier for Scala [5],building on the release from the GitHub repository. We evaluate our tool ona set of benchmarks shown in Fig. 6 written in a purely functional subset ofScala programming language. The experiments were performed on a machinewith 8 core, 3.5 GHz, intel i7 processor, having 16GB RAM, running Ubuntuoperating system. For solving the SMT constraints generated by tool we use theZ3 solver of [10], version 4.3. The Benchmarks used in the evaluation comprisesof approximately 1.5K lines of functional Scala code with 130 functions and 80templates. All templates for execution bounds specified in the benchmarks wereprecise bounds. Fig. 6 shows the lines of codes loc, number of procedures P and asample template for running time bound that was specified, for the benchmarks.

Benchmark loc P Sample template used in benchmark

List Operations (list) 60 8 a∗(size(l)∗size(l))+bBinary search tree (bst) 91 8

addAll a∗(lsize(l)∗(height(t)+lsize(l)))+b∗lsize(l)+cremoveAll a∗(lsize(l)∗height(t))+b∗lsize(l)+c

Doubly ended queue (deq) 86 14 a∗qsize(q)+bProp. logic transforms (prop) 63 5 a∗size(formula)+bBinary Trie (trie) 119 6 a∗inpsize(inp)+cqsort, isort, mergesort (sort) 123 12 a∗(size(l)∗size(l))+bLoop transformations (loop) 102 10 a∗size(program)+bConcatenate variations (cvar) 40 5

strategy 1 a∗((n∗m)∗m)+c∗(n∗m)+d∗n+e∗m+fstrategy 2 a∗(n∗m)+b∗n+c∗m+d

Leftist heap (lheap) 81 10merge a∗rheight(h1)+b∗rheight(h2)+cremoveMax a∗leftRightheight(h) + b

Redblack tree (rbt) 109 11 a∗blackheight(t)+bAVL tree (avl) 190 15 a∗height(t)+bBinomial heap (bheap) 204 12

merge a∗treenum(h1)+b∗treenum(h2)+cdeleteMin a∗treenum(h1)+b∗minchildren(h2)+c

Speed benchmarks(speed) 107 8 a∗((k+1)∗(len(sb1)+len(sb2)))+b∗size(str1)+cFold operations (fold) 88 7

listfold, treefold a∗(k∗k)+b, a∗size(t)+b

Fig. 6. Benchmarks used in the evaluation comprising of approx. 1.5K lines of scalacode, 130 functions and 80 templates. P denotes the number of procedures.

The benchmark list implements a set of list manipulation operations likeappend, reverse, remove, find and distinct–that removes duplicates. bst imple-ments a binary search tree with operations like insert, remove, find, addall andremoveall. The function lsize(l) (used in the templates) is the size of the list of el-ements to be inserted/removed from the tree. deq is an amortized, doubly-ended

12 Ravichandhran Madhavan and Viktor Kuncak

queue with enqueue, dequeue, pop and concat operations. prop is a set of propo-sitional logic transformations like converting a formula to negation normal formand simplifying a formula. lheap is a leftist heap data-structure implementationwith merge, insert and removemax operations. This benchmark also specified a

logarithmic bound on the right height : 2rheight(h)≤a∗heapSize(h) + b which wassolved by the tool. The function leftRightheight (used in the template) computesthe right height of the left child of a heap.

trie is a binary prefix tree with operations: insert–that inserts a sequenceof input bits into the tree, find, create –that creates a new tree from an in-put sequence and delete–that deletes a sequence of input bits from the tree.The benchmark cvars compares two different strategies for sequence concate-nation. One strategy exhibits cubic behavior on a sequence of concatenationoperations (templates shown in Fig. 6) and the other exhibits a quadratic be-havior. rbt is an implementation of red-black tree with insert and find opera-tions. This benchmark also specified a logarithmic bound on the black height:

2blackheight(h)≤a∗treeSize(h)+b which was solved by the tool.

avl is an implementation of AVL tree with insert, delete and find operations.bheap implements a binomial heap with merge, insert and deletemin operations.The functions treenum and minchildren (used in templates), compute the numberof trees in a binomial heap and the number of children of the tree containingthe minimum element, respectively. speed is a functional translation of the codesnippets presented in figures 1,2, 9 of [14], and the code snippets on which itwas mentioned that the tool failed (Page 138 in [14]). The benchmark fold is acollection of fold operations over trees and lists. These were mainly included forevaluation of depth bounds.

Fig. 7 shows the results of running our tool on the benchmarks. The columnbound shows the time bound inferred by the tool for the sample template shownin Fig. 6. This may provide some insights into the constants that were inferred.The bounds inferred are inductive. Though the constants inferred could poten-tially be rationals, in many cases, the SMT solver returned integer values. In casea value returned by the solver for a parameter is rational, we heuristically checkif the ceil of the value also yields an inductive bound. This heuristic allowed usto compute integer values for almost all templates.

The column time shows the total time taken for analysing a benchmark. Inparentheses we show the time the tool spent in minimizing the bounds afterfinding a valid initial bound. The subsequent columns provide more insights intothe algorithm. The column VC size shows the average size of the VCs generatedby the benchmarks averaged over all refinements. The tool performed 11 to 42VC refinements on the benchmarks. The column disj. shows the total number ofdisjuncts falsified by the tool and the column NL size shows the average size ofthe nonlinear constraints solved in each iteration of the solveUNSAT procedure.

Our tool was able to solve 78 out of 80 templates. Two templates were notsolvable because of the incompleteness in the handling of nonlinearity. The re-sults also show that our tool was able to keep the average size of the generatednonlinear constraints small in each iteration in spite of the large VC sizes, which

Symbolic Resource Bound Inference for Functional Programs 13

Sample bound inferred time avg.VC disj. NLtime≤ (min.time) size size

list 9∗(size(l)∗size(l))+2 17.7s (8.7s) 1539.7 108 59.9

bst 8∗(lsize(l)∗(height(t)+lsize(l))) 31s (14.2s) 637.4 79 84+2∗lsize(l)+1

29∗(lsize(l)∗height(t))+7∗lsize(l)+1

deq 9∗qsize(q)+26 17.3s (8.6s) 405.7 80 27.9

prop 52∗size(formula)−20 19.5s (1.2s) 1398.5 59 38.1

trie 42∗inpsize(inp)+3 3.3s (0.5s) 356.8 54 23.5

sort † 8∗(size(l)∗size(l))+2 6.8s (1.6s) 274.9 85 29.6

loop 16∗size(program)−10 10.6s (4.9s) 1133.8 44 52.4

cvar 5∗((n∗m)∗m)−(n∗m)+0∗n+8∗m+2 25.2s (14.7s) 1423.2 61 49.49∗(n∗m)+8∗m+0∗n+2

lheap 22∗rheight(h1)+22∗rheight(h2)+1 166.7s (144s) 1970.5s 152 106.444∗leftRightheight(h)+5

rbt 178∗blackheight(t)+96 124.5s (18.8s) 3881.2 149 132.6

avl 145∗height(t)+19 412.1s (259.1s) 1731.8 216 114

bheap 31∗treenum(h1)+38∗treenum(h2)+1 469.1s (427.1s) 2835.5 136 157.270∗treenum(h1)+31∗minchildren(h2)+22

speed 39∗((k+1)∗(len(sb1)+len(sb2))) 28.6s (6.4s) 1084.9 111 85.8+18∗size(str1)+34

fold 12∗(k∗k)+2 8.5s (0.8s) 331.8 44 2312∗size(t)+1

Fig. 7. Results of running our tool on the benchmarks. † the tool failed on 2 templatesin the sort benchmark

is very important since even the state-of-the-art nonlinear constraint solvers donot scale well to large nonlinear constraints.

Fig. 8 shows the results of applying our tool to solve templates for depthbounds for our benchmarks. All the templates used were precise. The tool wasable to solve all 80 templates provided in the benchmarks. In Fig. 8, the bench-marks which have asymptotically smaller depth compared to their execution time(work) are starred. Notice that the constants involved in the depth bounds aremuch smaller for every benchmark compared to its work, even if the depth is notasymptotically smaller than work. Notice that the tool is able to establish thatthe depth of mergesort is linear in the size of its input; the depth of negationnormal form transformation is proportional to the nesting depth of its inputformula and also that the depth of fold operations on trees is linear in the heightof the tree.

Comparison with CEGIS. We compared our tool with Counter ExampleGuided Inductive Synthesis(CEGIS) [26] which, to our knowledge, is the only ex-isting approach that can be used to find values for parameters that would falsifya parametric formula containing ADTs, uninterpreted functions and nonlinearoperations. CEGIS is an iterative algorithm that, given a parametric formula φwith parameters param and variables X, makes progress by finding a solution

14 Ravichandhran Madhavan and Viktor Kuncak

Inferred depth bound: depth≤ time

list 5∗(size(l)∗size(l))+1 9.7s

bst 4∗(lsize(l)∗(height(t)+lsize(l)))+2∗lsize(l)+1 335.8s4∗(lsize(l)∗height(t))+4∗lsize(l)+1

deq 3∗qsize(q)+13 106.4s

prop* 5∗nestingDepth(formula)−2 31.4s

trie 8∗inpsize(inp)+1 4.1s

msort* 45∗size(l)+1 20.2sqsort 7∗(size(l)∗size(l))+5∗size(l)+1 164.5sisort 5∗(size(l)∗size(l))+1 3s

loop 7∗size(program)−3 404s

cvar 3∗((n∗m)∗m)− 18∗(n∗m)+n+5∗m+1 270.8s

3∗(n∗m)+3∗n+4∗m+1

lheap 7∗rheight(h1)+7∗rheight(h1)+1 42s14∗leftRightheight(h)+3

rbt 22∗height(t)+19 115.3s

avl 51∗height(t)+4 185.3s

bheap 7∗treenum(h1)+7∗treenum(h2)+2 232.5s22∗treenum(h1)+7∗minchildren(h2)+16

speed 6∗((k+1)∗(len(sb1)+len(sb2)))+5∗size(str1)+6 41.8s

fold* 6∗k+1 3.1s5∗height(tree)+1

Fig. 8. Results of inferring bounds on depths of benchmarks.

for param that rules out at least one assignment for X that was feasible in theearlier iterations. In contrast to our approach which is guaranteed to terminate,CEGIS may diverge if the possible values for X is infinite. We actually imple-mented CEGIS and evaluated it on our benchmarks. CEGIS diverges even on thesimplest of our benchmarks. It follows an infinite ascending chain along whichthe parameter corresponding to the constant term of the template increases in-definitely. We also evaluated CEGIS by bounding the values of the parametersto be ≤ 200. In this case, CEGIS worked on 5 small benchmarks (viz. list, bst,deq, trie and fold) but timed out on the rest after 30min. For the benchmarkson which it worked, it was 2.5 times to 64 times slower than our approach.

5 Related Work

We are not aware of any existing approach that can handle the class of templatesand programs that our approach handled in the experimental evaluation.

Template-based Invariant Inference. The work of [8] is possibly closestto ours because it performs template-based analysis of imperative programs forfinding heap bounds and handles program paths incrementally using the idea ofpath invariants from [4]. [8] infers only linear bounds. It handles data-structuresusing a separate shape analysis that tracks the heap sizes. Our approach is

Symbolic Resource Bound Inference for Functional Programs 15

for functional programs. We handle a wide range of recursive functions overADTs and are not restricted to size. We integrate the handling of ADTs intothe template solving process, which allows us to solve precise templates. Wesupport nonlinearity and are capable of computing strongest bounds. We areable to handle complex data-structure implementations such as Binomial Heap.[3] presents an approach for handling uninterpreted functions in templates. Wehandle disjunctions that arise because of axiomatizing uninterpreted functionsefficiently through our incremental algorithm that is driven by counter-examplesand are able to scale to VCs with hundreds of uninterpreted functions. Ourapproach also supports algebraic data types and handles sophisticated templatesthat involve user-defined functions. The idea of using Farkas’ lemma to solvelinear templates of numerical programs goes back at least to the work of [7] andhas been generalized in different directions by [25], [9], [15]. [9] and [25] presentsystematic approaches for solving nonlinear templates for numerical programs.Our approach is currently based on light-weight axiomatization of nonlinearoperations which is targeted towards practical efficiency. It remains to be seen ifwe can integrate more complete non-linear reasoning into our approach withoutsacrificing scalability.

Symbolic Resource Bounds Analyses. [14] (SPEED) presents a techniquefor inferring symbolic bounds on loops of C programs that is based on instru-menting programs with counters, inferring linear invariants on counters and com-bining the linear invariants to establish a loop bound. This approach is orthogo-nal to ours where we attempt to find solutions to user-defined templates. In ourbenchmarks, we included a few code snippets on which it was mentioned thattheir tool did not work. Our approach was able to handle them when the tem-plates were provided manually. Our approach is also extensible to other resourcebounds such as depth. The COSTA system of [1] can solve recurrence equa-tions and infer nonlinear time bounds, however, it does not appear to supportalgebraic data types nor user-defined functions within resource bounds.

Other Related works. Counterexample-guided refinement ideas are ubiqui-tous in verification, as well as in software synthesis, where they are used incounterexample-guided inductive synthesis (CEGIS) algorithms by [26], [13],and [18]. One important difference in approaches such as ours is that an in-finite family of counterexamples is eliminated at once. Our experimental resultsof comparison with CEGIS in section 4 indicates that these approaches may suf-fer from similar divergence issues particularly for the resource bound inferenceproblem. Recent work [2] provides a general framework and system for inferringinvariants, which can also handle ∃∀ problems of the form we are considering.The comparison of two approaches requires further work because our target arecontracts with function invocations whereas [2] targets temporal logic formulas.The underlying HSF tool [11] has been shown applicable to a wide range ofanalysis problems. HSF could simplify the building of a resource analyzer suchas ours, though it does not support algebraic data types and resource boundcomputation out of the box.

16 Ravichandhran Madhavan and Viktor Kuncak

References

1. E. Albert, P. Arenas, S. Genaim, G. Puebla, and D. Zanardini. Cost analysis ofobject-oriented bytecode programs. Theor. Comput. Sci., 413(1):142–159, 2012.

2. T. A. Beyene, C. Popeea, and A. Rybalchenko. Solving existentially quantifiedhorn clauses. In CAV, 2013.

3. D. Beyer, T. A. Henzinger, R. Majumdar, and A. Rybalchenko. Invariant synthesisfor combined theories. In VMCAI, 2007.

4. D. Beyer, T. A. Henzinger, R. Majumdar, and A. Rybalchenko. Path invariants.In PLDI, 2007.

5. R. W. Blanc, E. Kneuss, V. Kuncak, and P. Suter. An overview of the Leonverification system. In Scala Workshop, 2013.

6. G. E. Blelloch and B. M. Maggs. Parallel algorithms. Communications of theACM, 39:85–97, 1996.

7. M. Colon, S. Sankaranarayanan, and H. Sipma. Linear invariant generation usingnon-linear constraint solving. In CAV, 2003.

8. B. Cook, A. Gupta, S. Magill, A. Rybalchenko, J. Simsa, S. Singh, and V. Vafeiadis.Finding heap-bounds for hardware synthesis. In FMCAD, 2009.

9. P. Cousot. Proving program invariance and termination by parametric abstraction,lagrangian relaxation and semidefinite programming. In VMCAI, 2005.

10. L. M. de Moura and N. Bjørner. Z3: An efficient smt solver. In TACAS, 2008.11. S. Grebenshchikov, N. P. Lopes, C. Popeea, and A. Rybalchenko. Synthesizing

software verifiers from proof rules. In PLDI, 2012.12. R. Guerraoui, V. Kuncak, and G. Losa. Speculative linearizability. In PLDI, 2012.13. S. Gulwani, S. Jha, A. Tiwari, and R. Venkatesan. Synthesis of loop-free programs.

In PLDI, 2011.14. S. Gulwani, K. K. Mehra, and T. M. Chilimbi. Speed: precise and efficient static

estimation of program computational complexity. In POPL, 2009.15. S. Gulwani, S. Srivastava, and R. Venkatesan. Program analysis as constraint

solving. In PLDI, 2008.16. S. Jacobs and V. Kuncak. Towards complete reasoning about axiomatic specifica-

tions. In VMCAI, 2011.17. M. Kaufmann, P. Manolios, and J. S. Moore, editors. Computer-Aided Reasoning:

ACL2 Case Studies. Kluwer Academic Publishers, 2000.18. E. Kneuss, I. Kuraj, V. Kuncak, and P. Suter. Synthesis modulo recursive func-

tions. In OOPSLA, 2013.19. X. Leroy. Formal verification of a realistic compiler. Commun. ACM, 52(7):107–

115, 2009.20. R. Madhavan and V. Kuncak. Symbolic resource bound inference. Techni-

cal Report EPFL-REPORT-190578, EPFL, 2014. http://infoscience.epfl.ch/record/190578.

21. T. J. M. Makarios. The independence of Tarski’s Euclidean axiom. Archive ofFormal Proofs, October 2012. http://afp.sf.net/entries/Tarskis_Geometry.

shtml, Formal proof development.22. M. Odersky, L. Spoon, and B. Venners. Programming in Scala: a comprehensive

step-by-step guide. Artima Press, 2008.23. D. C. Oppen. Elementary bounds for presburger arithmetic. In Proceedings of the

fifth annual ACM symposium on Theory of computing, 1973.24. A. Rybalchenko and V. Sofronie-Stokkermans. Constraint solving for interpolation.

In VMCAI, 2007.

Symbolic Resource Bound Inference for Functional Programs 17

25. S. Sankaranarayanan, H. B. Sipma, and Z. Manna. Non-linear loop invariant gen-eration using grobner bases. In POPL, 2004.

26. A. Solar-Lezama, L. Tancau, R. Bodık, S. A. Seshia, and V. A. Saraswat. Combi-natorial sketching for finite programs. In ASPLOS, 2006.

27. P. Suter, M. Dotta, and V. Kuncak. Decision procedures for algebraic data typeswith abstractions. In POPL, 2010.

28. P. Suter, A. S. Koksal, and V. Kuncak. Satisfiability modulo recursive programs.In SAS, 2011.

29. L. Yu. A formal model of IEEE floating point arithmetic. Archive of Formal Proofs,July 2013. http://afp.sf.net/entries/IEEE_Floating_Point.shtml, Formalproof development.